7 Replies Latest reply: Feb 17, 2014 8:40 AM by Peter Cammaert RSS

    Access with security problem

      Hi all,

      I have a problem with the security and i want to understand if it is the proper functioning of the instrument or if it is my mistake.

      I have 2 groups in Windows, (Qlik Admin, Qlik User ) and two users:
      - User A with che named licence, inserted in the Qlik Admin group, this user can see all the dashboard published
      - user B with the document licnece. inserted in the Qlik User. Can see only one dashboard.

      I have publisher two dashboard:
      - GlobalDashboard, in Windows only group Qlik Admin is qualified to see it. Qlik User has the deny set.
      - ReducedDashboard, Qlik Admin and Qlik User can see this doscument.

      Now, if User A enter in the Qlik Access point can open with his user and password correctly all the document, the same for User B, he can open only the ReduceDocument.
      The problem is when i enter in the Access point with the USER A user and password and then, i open the GlobalDocument with the USER B user and password.

      I would have expected an error message as USER B  has only license DOCUMENT on ReducedDashboard, instead he can access and see all data.

      This behavior is correct? Something wrong in the settings?
      Thanks for the support.

        • Re: Access with security problem
          Peter Cammaert

          Section Access is separate from everything else. There is no link between what you define in SA, and who gets a license from a QLikView Administrator. Although the two work together to grant or deny access to information.

           

          Are you using Section Access with USERID/PASSWORD in your documents?

           

          Peter

            • Re: Access with security problem

              Hi,
                thanks for your reply.
               
                Yes, in Section Access, i use USER/PASSWORD and if i access with the correct credential in Qlik Access Point and next in the document i see all in the right way. ( if user B access in the portal with his credential and then open the GlobalDashboard, he recive an error; if he try to open ReducedDashboard, he can access in the right way).


                What i don't understend is, if USER B  use for the Access Point the administrator user and password, then he can open GlobalDashboard with his user without having the right and without havind the licence on it.
               
                thanks for your help.
                Marco

                • Re: Access with security problem
                  Peter Cammaert

                  If User B enters the AccessPoint with administrator credentials, he will be known throughout the site as Administrator. Since document permissions are based on AD account (I'm assuming your setup uses AD to authenticate), he will see GlobalDashboard and have permission to open it (before Section Access kicks in). I guess that Administrator has been assigned a Named CAL, so that will be the license he uses.

                   

                  I do not understand yet why the USERID/PASSWORD entry in Section Access doesn't block User B from entering the document. Do you always get a Login dialog when you click on the document in the AccessPoint?

                   

                  Best,

                   

                  Peter

                    • Re: Access with security problem

                      Hi Peter,

                      i always get the Login dialog box but in the section access i filter the document on a fild based on the user who access. i haven't deny the possibility to see the entire document to some user. I thought enough to assign licenses Document  on a document to deny the user access to other documents.

                      So i can't do in that way?

                        • Re: Access with security problem
                          Peter Cammaert

                          Yes, you can, although your method isn't exactly a best practice...

                           

                          I would suggest a different setup that makes things both simpler (easier to manage) and more secure:

                           

                          • Use AD accounts to identify your portal visitors. SSO will allow them to visit the QlikView AccessPoint without so much as a login. Authentication will be automatic and transparent.
                          • Use Section Access to effectively restrict access to the inbsides of a document by enalbing Data Reduction and Strict Exclusion.
                          • In Section Access, use field NTNAME instead of USERID/PASSWORD. This brings many advantages: only a single identification field, no password management inside your document but only in AD, automatic recognition again (no more login dialogs) and you have the possibility to use your groups in the NTNAME field, instead of individual user IDs. From your details (which probably aren't complete) I get that your Section Access table may shrink to 2 or 3 rows.

                           

                          Security is as tight as its weakest link: the end-user. If you start distributing multiple credentials (like you did in the example: you are User A and User B at varying times) to different users, your security measures won't always reach their intended target.

                           

                          Best,

                           

                          Peter